The virtual tunnel is also called native IPsec, VTI does the same
job that GRE with IPsec does. They both encrypt the tunnel with IPsec. VTI removed the additional 4 bytes GRE header, thus reducing the bandwidth for sending encrypted data. VTI allows to configuration of ACL, NAT, and QoS. remember the default mode for a tunnel is GRE you have to define the mode IPsec IPv4 to configure the SVTI tunnel.
There are two types of VTI (Virtual Tunnel Interface)
1.
Static Virtual Tunnel Interface
2.
Dynamic Virtual Tunnel Interface
configuration for SVTI is very simple we do not need to define interesting (ACL) traffic. configuration same just like we configure GRE with IPsec but with a small difference, we have to define the tunnel mode.
let's see the topology:-https://youtu.be/b3wNC8mAI9E?si=NtBhT1iXmevfqbu7
- configure the topology as per the diagram
- assign the IP addresses as per the topology
- configure static and default route
- configure tunnel between Site-A-R to Site-B-R
- configure EIGRP advertise tunnel interface and LAN network on both sites
- configure IPsec and apply on the tunnel interface
- make sure data will encrypt
Site-A-router(config-if)#ip address 1.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit
Site-A-router(config)#interface fastEthernet 0/0
Site-A-router(config-if)#ip address 10.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit
*Jan 11 12:20:47.079: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel1234) is up:new adjacency
*Jan 11 12:20:47.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1(Tunnel123) is up: new adjacency
IP-EIGRP neighbors for process 123
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.123.2 Tu1234 11 00:01:26 66 1362 0 5
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 3.3.3.1 to network 0.0.0.0
C 192.168.123.0/24 is directly connected, Tunnel123
C 3.0.0.0/8 is directly connected, Serial4/1
D 10.0.0.0/8 [90/26882560] via 192.168.123.1, 00:01:11, Tunnel123
C 30.0.0.0/8 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 3.3.3.1
Site-B-router(config-isakmp)#authentication pre-share
Site-B-router(config-isakmp)#hash sha
Site-B-router(config-isakmp)#group 5
Site-B-router(config-isakmp)#encryption aes
Site-B-router(config-isakmp)#exit
Site-A-router(config)#crypto ipsec transform-set TRANS-SET esp-aes esp-sha-hmac
Site-A-router(cfg-crypto-trans)#mode ?
transport transport (payload encapsulation) mode
tunnel tunnel (datagram encapsulation) mode
Site-A-router(cfg-crypto-trans)#mode tunnel
Site-A-router(cfg-crypto-trans)#exit
Site-B-router(cfg-crypto-trans)#mode tunnel
Site-B-router(cfg-crypto-trans)#exit
No comments:
Post a Comment